建立允許或拒絕使用者根據傳入理賠要求規則Create a Rule to Permit or Deny Users Based on an Incoming Claim

本文內容

在 Windows Server 2016，您可以使用存取控制原則來建立，允許的規則拒絕根據傳入理賠要求的使用者。In Windows Server 2016, you can use an Access Control Policy to create a rule that will permit of deny users based on an incoming claim.在 Windows Server 2012 R2，使用允許] 或 [拒絕使用者根據取得連入在 Active Directory 同盟服務 (AD FS) 規則範本，您可以建立會授與或拒絕信賴根據類型及值，連入理賠要求的使用者的存取權的授權規則。In Windows Server 2012 R2, using the Permit or Deny Users Based on an Incoming Claim rule template in Active Directory Federation Services (AD FS), you can create an authorization rule that will grant or deny user’s access to the relying party based on the type and value of an incoming claim.

例如，您可以使用此建立，允許的值為網域存取信賴的系統管理員取得群組使用者規則。For example, you can use this to create a rule that will permit only users that have a group claim with a value of Domain Admins to access the relying party.如果您想要允許所有使用者存取信賴，請使用都允許所有人存取控制原則或都允許所有使用者規則範本根據您的 Windows Server 版本。If you want to permit all users to access the relying party, use the Permit Everyone Access Control Policy or the Permit All Users rule template depending on your version of Windows Server.使用者可以存取信賴從同盟服務可能仍然無法服務信賴。Users who are permitted to access the relying party from the Federation Service may still be denied service by the relying party.

您可以使用下列程序，以建立 AD FS 管理 snap\ 中理賠要求規則。You can use the following procedure to create a claim rule with the AD FS Management snap-in.

資格在系統管理員，或相當於、在本機電腦上的最低需求完成此程序。Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure.檢視詳細資料使用適當的帳號，並群組成員資格，本機和網域預設群組。Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

建立允許使用者在 Windows Server 2016 上連入理賠要求規則To create a rule to permit users based on an incoming claim on Windows Server 2016

在 [名稱] 方塊中輸入名稱的原則、描述，然後按一下新增。In the name box, enter a name for your policy, a description and click Add.

在規則編輯器，請確定已選取 [所有人都並在以外勾選 [中的特定宣告在要求中底線按一下特定底部。On the Rule Editor, make sure everyone is selected and under Except place a check in with specific claims in the request and click the underlined specific at the bottom.

在主控台在AD FS\Trust Relationships\Relying 廠商信任，按一下您想要用來建立此規則清單中的特定信任。In the console tree, under AD FS\Trust Relationships\Relying Party Trusts, click a specific trust in the list where you want to create this rule.

在選取 [規則範本頁面上，在理賠要求規則範本、選取允許] 或 [拒絕使用者根據連入宣告從清單中，然後按一下下一步。On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based on an Incoming Claim from the list, and then click Next.

在設定規則在頁面上理賠要求規則名稱輸入顯示名稱，則本規則傳入宣告類型底下選取 [宣告類型清單中，傳入取得值輸入或按一下 [瀏覽 \（如果有 available\）並選取一個值，然後選取其中一項下列選項，根據您的組織的需求：On the Configure Rule page under Claim rule name type the display name for this rule, in Incoming claim type select a claim type in the list, under Incoming claim value type a value or click Browse (if it is available) and select a value, and then select one of the following options, depending on the needs of your organization: